“Not aligning cybersecurity and business goals – Cybersecurity professionals said the most beneficial action companies can take is adding goals and metrics related to security that IT business managers and security teams can work toward.

“Not building repeatable processes – As mentioned above, one of the top two security challenges named by security professionals is too many manual and informal security processes. These workers suggest that the second most beneficial action organizations can take is to document and formalize all cybersecurity processes.

“Not investing in training – While companies are increasing cybersecurity budgets, they tend to invest more in technology solutions than their employees, according to the report. Investing in more training and education at all levels, from non-technical employees to the IT and security teams to executive management, is key for protecting organizations.

“Not providing the right training – Cybersecurity professionals said they look to specific training courses (76%) and professional development organizations (71%) to build knowledge, skills, and abilities, rather than security certifications. Organizations can look to offer more sophisticated, continuous training, with a focus on specific skills that tend to be lacking, such as application and cloud security.

“Not assuming a perpetual skills shortage in future planning and strategy – Since cybersecurity professionals say the no. 1 security challenge they face is their staff being undersized for their organization, businesses must create aggressive programs for recruiting talent from IT teams and the business side to bridge security gaps, the report recommends.”

Here is a great summary from Axios about the shortage of professionals in the area of cybersecurity. We need to fill the gap ASAP. Is there a shortcut?

Endgame’s Artemis desktop. (Screenshot: Endgame)

“With Russia, China, Iran and North Korea on the loose, experienced and knowing cybersecurity hands are among the world’s most-sought-after workers. The trouble is that there are not nearly enough of them — estimates are that the U.S. alone could use 200,000 more cyber experts to protect the country’s private and public computers. And half or fewer of those applying are not qualified, according to a survey by ISACA, an industry association.

“What’s happening: Endgame, a Virginia-based cybersecurity firm that has worked most closely with the U.S. intelligence agencies, launched Artemis, an intelligent chatbot.

“Why it matters: Hyrum Anderson, Endgame’s lead data scientist, says Artemis is a shortcut to closing the gap between inexperienced “Tier 1” computer analysts and top-flight but comparatively few “Tier 3” professionals, who know the field.

The volume of potentially malicious alerts is “staggering, so a real threat can be lost in the noise,” Anderson tells Axios.

But by typing questions using natural English into Artemis, a relatively new cybersecurity analyst can conduct a sophisticated investigation of a vast computer system. “Our customers are trying to protect their systems with limited resources,” he said.

Be smart: “The yawning shortage of professionals, propelled by a wildly active hacking community — such as BadRabbit, the most recent ransomware attack — is global. There will be 3.5 million unfilled cybersecurity jobs by 2021, forecasts CyberSecurity Ventures, an industry newsletter. The forecast includes the West and other countries including India, Japan and China.”

There is an elephant in the room. It has been there for a while and everyone knows it. It doesn’t seem interested in going away. We keep hoping it will. If is making messes no one wants to deal with.

The elephant has a name. The name is Cyber-Security.

It is clearly a big issue so this is not a baby elephant. We will have to talk about it when a breach occurs (and it will). The problem with that approach is when it happens the focus becomes figuring out the technical aspects of how it happened not what we should do holistically beyond just the technology to prevent it.

This is where another elephant issue comes into play. Remember the blind men, who have never come across an elephant before, learn and conceptualize what the elephant is like by touching it. Continue reading →

A recently published global survey of C-Suite level executives and IT Decision Makers (ITDMs) revealed a large gap in assessments of cyber threats, costs and areas of responsibilities. Among the most significant disconnects:

80% of the executives surveyed in the U.S. believe cybersecurity to be a significant challenge facing their business, while only 50% of ITDMs agree.

ITDMs estimated the average cost of a cyber breach at $27.2 million, much higher than the average $5.9 million cited by executives.

50% of the executives surveyed believe the reason why an attack on their organization would succeed would be due to human error of employees, compared to 31% of ITDMs.

The research shows there is a lack of understanding when it comes to the cost of a successful breach, which many underestimate. It isn’t just about what the thieves get away with. A successful cyber attack can have far reaching implications such as impacting share price, lost business, fines — even a failed strategic investment or merger.

Retail operations have very effective security. We should look at their approaches and design computer security in a similar fashion.

Computer systems, corporate and government, will continue to be breached at an alarming rate, which is of course much higher than is publicly disclosed. More money will be spent and people hired. More standards will be set, regulations promulgated and enforced. As should be obvious by now, most of the money will be wasted, most of the people will accomplish nothing, and the regulations will increase costs while making things worse. Unless something changes.

The problem of cybersecurity can be solved. But it can only be solved if: we acknowledge we’re at war and act accordingly; we apply within the guts of our systems common-sense methods whose principles are clear, obvious and proven in other domains; and we start acting as though we actually want to solve the problem, as opposed to the current strategy of denial, cover-up and blame-shifting.

According to Statisa, “Cyber attacks are a constant threat to businesses around the world with vast sums of money being spent to protect against them. The image of some nefarious character plotting in his or her bedroom is one most of us have when thinking about hackers and cyber criminals. While in 2015, 40 percent of attacks stemmed from ‘outsiders’, a surprising 60 percent were actually perpetrated by company insiders.

“IBM, who produced the figures based on information from over 8,000 of their clients devices, revealed that although 15.5 percent of such ‘attacks’ were caused inadvertently, 44.5 percent were deemed to have been malicious.

“An insider is defined as anyone who has physical or remote access to a company’s assets. IBM note that although this would often be an employee, it can also mean business partners or maintenance contractors – people you trust enough to grant system access to. Insiders not only have this access, they may also be aware of your weaknesses and thus exploit them more effectively than an outside agent might be able to.”

There’s no stopping the mobile CRM revolution, but those who rush into it headlong with an eye only to the many benefits may be in for an unpleasant shock. There is a significant security risk to managed. It is doable but needs to be well thought out.

As if we didn’t have enough to worry about, mobile CRM is laden with risks, too — from getting on the wrong side of the customer to getting on the wrong side of the federal government. Then there are the myriad security concerns that go along with making sensitive company data accessible on a device that may be woefully insecure.

If you work for the Federal government, this is your worst nightmare. Your social security number is no longer secure and is quite possibly in the hands of the Chinese. It is likely to also be in the hands of criminals already who can make your life miserable for a very long time.

You can read details of the new plan to protect those affected by the hack here but it is not reassuring since you are already exposed.

Ensuring the integrity, privacy and security of employee data is key to a trusting and engaged workforce. Without that foundation, nothing else that is done will make a difference.

We’re moving into science-fiction disaster territory as the U.S. Office of Personnel Management (OPM) admits that more than 22 million employees personal records have been stolen. But, the OPM has a new, improved plan to protect their records.

This 22 million number is even higher than the FBI’s leaked 18 million figure. On an OPM site, the agency revealed the most likely victims are those who “underwent a background investigation through OPM in 2000 or afterwards.”

In short, if you filled out a form SF-86, Questionnaire for National Security Positions; SF-85, Questionnaire for Non-Sensitive Positions; or SF-85P, Questionnaire for Public Trust Positions, your records are toast. Or, as OPM put it, “it is highly likely that you are impacted by the incident involving background investigations. If you underwent a background investigation prior to 2000, you still may be impacted, but it is less likely.”

Before we get into the details of the plan that’s to make this all better, you should know what’s been revealed. These “records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.”

There are calls for Katherine Archuleta, director of the federal Office of Personnel Management, to resign. She said she has no plans to step down and is committed to continuing her work for the agency. One day after saying that, she resigned.

But Archuleta has no background in tech or cyber-security. In the official White House press release on her first day, Archuleta was heralded as “the first Latina” to run the OPM and someone who “[w]ith her breadth of experience as an educator, public administrator, and community leader, Katherine Archuleta possesses an abundance of skills to bring talented people together with different ideas and fresh perspectives to strengthen our federal workforce.”

It is time to see ourselves from the vantage point of our enemy. There may be a number of reasons someone may want to hack into our systems. Executive teams and leadership need a different view of the world. What can we do?

Understand your major risks and how adversaries aim to exploit them

Take inventory of your assets and monitor them continuously

Make security a part of your mission

Be active, not passive, in hunting adversaries on your network and removing them

We can all prevent a disaster if we are diligent in taking responsibility for our own security.

Companies need to take a new approach. They can do so by looking at themselves through the eyes of their attackers. In the military this is called turning the map around. The point is to get inside the mind of the enemy, and to see the situation as they do, in order to anticipate and prepare for what’s to come.

Unfortunately, this mindset is still too rare. Despite spending billions of dollars every year on the latest security products and hiring the best security engineers and analysts, companies are more vulnerable than they’ve ever been. Two trends account for this: the rapid convergence of enterprise IT architectures, and the proliferation of increasingly sophisticated adversaries.

There are huge gains to be made from digitizing our business and data. We are all enjoying the benefits. Our customers are having better experiences.

Lots to be thankful about here for sure.

But …

There are some risks to be managed. Digital executives also need to make don’t damage our customer loyalty by allowing hackers easy access to our digital systems.

Digitization of data, products, and processes is an increasingly important driver of economic growth, but it also creates a host of cybersecurity challenges and vulnerabilities. The push toward greater multichannel integration, for instance, adds significantly to the customer experience but introduces many more interfaces that intruders can exploit. Likewise, companies’ closer colla­b­oration with business partners, customers, advisers, and other third parties can enrich everything from product development to recruiting but can also result in more complex, conjoined supply chains and information flows. Hybrid delivery models, in which some business services and processes are moved to the cloud and managed by external providers, extend the security perimeter and add to the sweep of activities that companies must monitor to detect attacks on their environments.

If you are focused on your customers, and you sell computers, you don’t want this said about you. Unfortunately, it is probably true. Trust is important. Clearly Lenovo doesn’t get that.

Quite possibly the single worst thing I have seen a manufacturer do to its customer base. ~Marc Rogers, Security Expert

In a blatant disregard for security, Lenovo did the unthinkable. It goes way beyond bad form to knowingly install malware on computers. If computer makers don’t take security seriously, what hope do we have as consumers?

Lenovo’s response to the uproar has been sluggish and for the most part inadequate. After the storm broke last week, the company said it would stop pre-installing the culprit software on its computers, and “spend the next few weeks digging in on this issue, learning what we can do better.” In an interview with the Wall Street Journal, its chief technical officer, Peter Hortensius, dismissed the “security guys'” concerns as “theoretical.” He said, “we have no insight that anything nefarious has occurred.

It will be interesting to see if this in fact helps anything or not. It could in fact hurt.

“Seventy to 80 percent of the user bases for a lot of these companies are the foreigners who get very little protection under our system,” explained Julian Sanchez, a senior fellow focused on technology and civil liberties at the Cato Institute. “If they don’t display some push back, they know they won’t do very well with those markets.”

Traditionally, the fundamental focus of the Enterprise has been to preserve and expand its value through “classic Assets” as reflected on the Balance Sheet. More recently, Information Assets have become an important new source of value, and are increasing at an appreciable rate in almost every industry. Today, these Information Assets are at risk as never before.

President Obama signed an executive order Friday that urges companies to share cybersecurity-threat information with one another and the federal government.

Obama signed the order, which is advisory in nature, at the first White House summit on Cybersecurity and Consumer Protection at Stanford University here. The summit, which focused on public-private partnerships and consumer protection, is part of a recent White House push to focus on cybersecurity.

Obama said the prospect of cyberattacks are one of the nation’s most pressing national security, economic and safety issues. The specter of a cyberattack crippling the nation’s air traffic control system or a city with a blackout is real, and hacks such as the one on Sony Pictures last year are “hurting America’s companies and costing American jobs.” He also said they are a threat to the security and well-being of children who are online.

Lurking in our technology systems, many times for months on end, criminals are looking and finding ways to compromise our security.

Employee engagement in this case, becomes a huge issue. Employees want a safe place to work. Their engagement hinges on this core premise.

Health insurer Anthem Inc, which has nearly 40 million U.S. customers, said late on Wednesday that hackers had breached one of its IT systems and stolen personal information relating to current and former consumers and employees.

Your company or nonprofits reputation is at stake. If you are a digital executive, please ask your CIO if you have a “zero trust” approach to cyber security. The employee and customer experience is contingent on the answer.

I’m not over stating the case. Just ask Sony, Centcom, Chase, Home Deport or Target.

This approach allows all users to access the network, but not all users to access all data, thus enabling mobility, high availability and the use of cloud infrastructures without compromise to security. It means that not only will we protect the perimeter of the building and the main entrances but when you get in the building, you can only go to one room. Period. No capability to just wander around from room to room. Yes, it says we will trust you in this one room of the building but not everywhere. And the one room you have access to has very narrow functionality.

“But the world has changed and we cannot carry on doing things the way we did in the 70s and 80s,” John Kindervag, principal analyst at Forrester Research

President Obama just unveiled a number of proposals to crack down on hackers. It’s great that the government is working on this but we need to do a better job of protecting ourselves. Jimmy Kimmel sent a camera out onto Hollywood Boulevard to help people by asking them to tell us their password. And you have to see this to believe it.

This is the challenge of cyber security. Sad but true.

What is your password?

After watching the video and laughing, it’s time to ask yourself an uncomfortable question: how many of your passwords are so absurdly weak that they might as well provide no security at all?

Those of you using “123456,” “abc123,” or even just “password” might already know it’s time to make some changes. And using pets’ names, birth dates, your favorite sports teams, or adding a number or capital letter to a weak password isn’t going to be enough.

Is a password manager a solution? A password manager helps you create long, complicated passwords for websites and integrates into your browser, automatically filling in your usernames and passwords. Instead of typing a different password into each site you visit, you only have to remember one master password.

Cyber security is an important issue not just for computers but also any device that has an internet connect. That list of devices is growing every day. While our intentions are noble and caring, there is risk to be managed as well.

One more thing to add to our check list for security consideration. And, the government is getting into the game with regulations.

Medical devices are just the latest in a growing list of Internet of Things that are at risk for potential hacks. On the surface, it may seem almost foolish to worry that some stranger will want to control a person’s insulin dosage or shut off a pacemaker or manipulate health data, but we also wondered why anyone would want to hack into cloud storage to steal compromising photos of actresses or someone would stage a major attack on an entertainment company in retaliation for a movie. If something can be hacked, it will be hacked. If for no other reason, this puts medical devices and the patients who rely on them at great risk.

Like virtually every device connected to a network, medical equipment was never designed with cyber security in mind. However, thanks to the Food and Drug Administration’s new guidelines, that will change. Manufacturers are now instructed to build cyber security functionality into new medical devices. How these cyber security functions will be addressed will depend on the device itself – its intended use, overall vulnerability concerns, and risks to the patient, for instance. The guidelines go on to list the types of cyber security functions that should be included, such as layered authentication levels and timed usage sessions that ensure the device isn’t connected to the network any longer than necessary.

This is stunning and way to common according to security experts. There are simple and easy to use technology programs that would have allowed the technology department to see if this was going on. It isn’t clear if Sony didn’t use the technology or ignored it for senior executives. It also isn’t clear if they did or did not have a policy against sharing passwords.

What is needed is an aggressive cyber security program that is perpetual and focuses on continuous improvement. This is an investment, in this day and age, that can’t be ignored.

In the weeks before hackers broke into Sony Pictures Entertainment, the studio suffered significant technology outages it blamed on software flaws and incompetent technical staffers who weren’t paying attention, even as hackers targeted executives to trick them into revealing their online credentials.

Its chief executive was regularly reminded in unsecure emails of his own secret passwords for his and his family’s mail, banking, travel and shopping accounts, according to a review of more than 32,000 stolen corporate emails circulating on the Internet.

The stolen files expose lax Internet security practices inside Sony such as pasting passwords into emails, using easy-to-guess passwords and failing to encrypt especially sensitive materials such as confidential salary and revenue figures, strategic plans and medical information about some employees. Experts say such haphazard practices are common across corporate America.

“Most people who say they’re not doing that are lying,” Jon Callas, co-founder and chief technology officer for Silent Circle Inc., a global encrypted-communications service

While it is important to find out who did this. It is more important to know that it can be done and to protect our corporate information assets from this kind of exposure.

The ongoing cost to Sony as a fall out of the cyber security breach will be massive litigation cost. Beyond that cost, there is the real “employee engagement” cost as employees feel that the trust they place in their employer has been violated.

For these reasons and more, companies should consider more sophisticated and responsive methodologies and architectures for addressing this challenging environment. What is needed is a comprehensive and, maybe even more importantly, sustainable cyber security program for organizations seeking to reduce their risk exposure, provide available protections as they emerge, and sustain a responsive framework for this rapidly-evolving area to “manage down” the uncertainty level.

Unlike other security options available, we do not need a single-point solution, a specific technology, a means of gaining simple compliance, nor is it an audit or “pen-test” concept based on past methods to address a “now-and-future” problem set. Companies need a far-reaching risk-abating program which reaches across the Enterprise to find and erode risk wherever it may reside. Employees expect their personal data to be secure at their places of employment.

A second lawsuit was filed against Sony on Tuesday, this time by a group of production managers, according to The Hollywood Reporter. Plaintiffs include Susan Dukow and Yvonne Yaconelli, who claim Sony should have known better than to provoke North Korea by including the real Kim Jong-Un in The Interview. Unlike the earlier lawsuit (see below) which was filed in federal court, Dukow and Yaconelli filed in Los Angeles Superior Court. But like the federal case, it also points the finger at lax cybersecurity in the face of threats and known weaknesses and is seeking unspecified damages.

There are a number of critical components to becoming a digital organization. Five to consider are:

Customer-centricity

Business process optimization

Actionable insight

Innovation culture

Information security

Often overlooked is security. Nothing will aggravate customers and employees more than a breach in security. What is clearly needed is a continuous improvement process around cyber security.

Proactive Enterprise Risk Management that demonstrates an unrelenting commitment to information security and privacy reduces the cost of compliance and builds trust with the customers. Recent financial and personal information breaches has resulted in billions of dollars of losses to the Financial Industry. These incidents have increased customer aversion to share personal data digitally.

Industry data proves that there is no significant difference between security breaches in storing data privately versus in the cloud. But customers and the industry alike are still coming to terms about the dependability and security of storing their data in the cloud. The interchange of data through the ‘Internet of Things’ makes personal data security and privacy much more vulnerable. This puts pressure on the cost of information management and can slow down the implementation of successful digital strategies. Therefore, it is critical to have a clear Enterprise Risk Management strategy and implementation plan which delivers the highest security standards.

A blog post from computer security firm F-Secure may send a chill through the C-suites of major corporations and nonprofits across the globe. Already released are employee social security numbers, proprietary content and sensitive emails.

No one is exempt from this threat. Major nonprofits have already been hacked. Many times the hackers have been in systems for up to 7 months before the hack is detected (this is the current industry average).

Audit Committees and Boards of Directors have been concerned for some time now about these threats. This trend will only continue.

What is the solution? We need continuous cyber security improvement programs. One time audits and one off implementations won’t protect us.

Consider this:

A blog post from computer security firm F-Secure may send a chill through the C-suites of major corporations across the globe.

F-Secure calls the Sony Pictures (NYSE:SNE) hacking incident the worst ever seen by a company, but that’s not even the scary part.

The take from F-Secure is that it’s sophisticated extortionists behind the incident – not ticked off North Korea sympathizers.

The public execution of Sony Pictures could just be a warning aimed at future targets, theorizes F-Secure.

The FBI has issued a flash alert which warns that other company might already have the malware in their systems.

Traditionally, the fundamental focus of the Enterprise has been to preserve and expand its value through “classic Assets” as reflected on the Balance Sheet. More recently, Information Assets have become an important new source of value, and are increasing at an appreciable rate in almost every industry.

Big data is all the rage. Securing big data is lagging behind. Today, these Information Assets are at risk as never before.

The Board of Directors possesses well-developed mechanisms for governance, audit and compliance geared toward the oversight of Classic Assets. Where are the protective, risk-reducing and oversight-managing mechanisms for our increasingly valuable Information Assets? We need to help answer these and other important questions.

Today’s Enterprises exist in a world constantly susceptible to cyber-terrorism:

The threat is growing and expanding at an alarming rate

New threat sources are emerging as nation-states and other more sophisticated actors become real and present risk vectors

The pace of regulation and compliance requirements continues to accelerate

Boards feel themselves outstripped by the needs, the risks, and the gaps in the top-level expertise available to address the issues

New technologies in the areas of mobile devices, cloud services, big data, and smart devices continue to expand the proliferation of un-secured entry points

The need for a different approach

For these reasons and more, we should consider more sophisticated and responsive methodologies and architectures for addressing this challenging environment. We need comprehensive and, maybe even more importantly, sustainable cyber security program for organizations seeking to reduce their risk exposure, provide available protections as they emerge, and sustain a responsive framework for this rapidly-evolving area to “manage down” the uncertainty level.

It’s inevitable. Whether in the boardroom or around the office, you’re bound to have “the talk” about big data analytics for cyber security—if you haven’t already. At issue is whether or not your organization is optimizing its data collection and analytics efforts to your best ability to detect and defend against cyber intrusions.

Roberta Anderson is the Chief Information Security Officer for the City of Colorado Springs. She has over 15 years of information and cyber security expertise in both the public, private, and Department of Defense sectors. She holds the Certified Information Systems Security Professional (CISSP), NSA and Committee for National Security Systems (CNSS) 4011 and 4012 certifications, in addition to Security + and Network +. She has her Bachelors in Cybercrime Investigation, and Masters in Cyber Security and Information Assurance. You can connect with Roberta on LinkedIn: http://www.linkedin.com/pub/roberta-anderson/96/428/293

————————-Guest Blog———————

Be Your Own Advocate

Security

A recent study of 2,000 consumers in an online survey revealed nearly 3/4 of respondents did not think companies cared enough about the security and privacy of their data.

“Despite being outraged over a string of recent retailer breaches and revelations regarding the National Security Agency’s monitoring activities, Eric Chiu, president and co-founder of HyTrust, said he hasn’t witnessed any notable shift in consumers’ behavior around valuing security. Consumer inaction doesn’t mean organizations can continue to ignore data privacy and security though, warned Chiu, who pointed to the recent breach at Minneapolis-based retailer Target as an example of spiraling costs associated with suffering a data breach.”—techtarget.com

From a consumer perspective, this means people should not assume their data is being protected; people need to be their own advocates. From a business perspective, this means the bar needs to be raised. If companies want to increase consumer trust, as well as be customer focused, they need to improve their internal information security practices.

Cyber-attacks are increasingly easy with faulty software, absent internal auditing processes, and budget cuts, but the responsibility to perform due diligence should not yield. Customers deserve for their data to be protected, and even though the majority is not demanding it now, the time is not too far in the future.

Eventually, consumers and lawmakers alike are going to mandate better information security practices. President Obama has officially endorsed a better framework for improving the Nation’s cybersecurity through Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”. Smart companies will do the same by ensuring they are thinking innovatively and “ahead of the curve”. It is the companies who respond to customer protection without being asked which will likely profit, and improve their customer base. Don’t wait until a breach occurs to modify your data security, it could prove to be very costly.